The Elliptic Curve secp256k1

Overview

A curve of special interest is the Koblitz curve secp256k1 that is used in the Bitcoin ECDSA signature scheme. secp256k1 is a Certicom curve that‘s recommended by the Standards for Efficient Cryptography Group (SECG)Certicom Research. Standards for efficient cryptography, SEC 2: Recommended elliptic curve domain parameters, January 2010. Version 2.0.. The curve is defined over a prime field $\mathbb{F}_{p}$, where

$$p=2^{256}-2^{32}-2^{9}-2^{8}-2^{7}-2^{6}-2^{4}-1$$

is a generalized Mersenne prime number. The curve equation is given in the short Weierstrass form $y^{2}=x^{3}+A x+B$, where $A=0$ and $B=7$; therefore, the curve has $j$-invariant $j=0$ by this corollary :Elliptic_curves_corollary . The curve has 256-bit prime order

$$\# E\left(\mathbb{F}_{p}\right)=2^{256}-2^{129}-1$$

thus, $E\left(\mathbb{F}_{p}\right)$ is cyclic by this corollary :cyclicGrp_Corollary_3 , and hence every point except $\mathcal{O}$ has order $n$ and thus is a generator of $E\left(\mathbb{F}_{p}\right)$. However, the standard explicitly defines a base point $P$ by

$$\begin{aligned} P=& 0279 B E 667 E F 9 D C B B A C 55 A 06295 C E 870 B 07 \\ & 029 B F C D B 2 D C E 28 D 959 F 2815 B 16 F 81798 \end{aligned}$$

in the compressed form, having cofactor $h=01$. According to Bjoernsen (2015)Kristian Bjoernsen. Koblitz Curves and its Practical Uses in Bitcoin Security. 2015. Available online at http://koclab.cs.ucsb.edu/teaching/ecc/project/2015Projects/ Bjoernsen.pdf., there’s a lack of transparency regarding the choice of this specific base point since the SECG chair Dan Brown couldn’t give a sufficient explanation about the choice of the base point.